Nova doesn't validate user/project is valid from keystone during admin operations

Bug #1544989 reported by Sean Dague
This bug affects 7 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Sean Dague

Bug Description

For any API call to Nova which takes a tenant_id / user_id as a parameter, and inserts it into the Nova database, no validation is done of these values.

This is currently by design, largely because there is no clear way to check the existence of those users/projects. Nova has no generic credentials to do that to Keystone. It's unclear if there is a way to do this from a non admin user.

Many other bugs are related to this fundamental issue for which there is no infrastructure. This includes updating quotas, adding access to flavors, etc. This will be a placeholder for all those bugs until there is some way to actually address this at the root.

Tags: api
Revision history for this message
Sean Dague (sdague) wrote :

Marked Low because we really have no idea how to get the core infrastructure together to address this.

Changed in nova:
status: New → Confirmed
importance: Undecided → Low
tags: added: api
Changed in nova:
assignee: nobody → Ravali Gudipati (ravali.gudipati)
description: updated
Revision history for this message
Ravali Gudipati (ravali.gudipati) wrote :

Regarding the first paragraph in the bug description, changes can be made in nova to check the given input parameter is present in the available tenant-ids or not, for a admin user. But, according to the policy.json files corresponding to nova and keystone, non admin user do not have the privileges to check the available projects, update the quotas, access the flavors.
Regarding the third paragraph in the bug description, it is mentioned that many more bugs are related to this fundamental issue and there should be a way to address this at the root. As this bug is related to issues with admin and non admin privileges, can you please provide more elaborate description on what the "addressing at the root" means. Also there is a blueprint related to the bug- "".

Revision history for this message
Matt Riedemann (mriedem) wrote :
Changed in nova:
status: Confirmed → In Progress
assignee: Ravali Gudipati (ravali.gudipati) → Sean Dague (sdague)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Submitter: Jenkins
Branch: master

commit 1f120b5649ba03aa5b2490a82c08b77c580f12d7
Author: Sean Dague <email address hidden>
Date: Fri Feb 17 07:55:43 2017 -0500

    Verify project id for flavor access calls

    This includes project id verification for flavor access calls.

    Closes-Bug: #1544989

    Implements bp:validate-project-with-keystone

    Change-Id: I2620c3ebc2a6dc131946602f8aa36ec0b6e782e0

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova

This issue was fixed in the openstack/nova development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.